In today's digital landscape, third-party cookies have long been essential tools for online advertising, retargeting, and abandoned cart recovery. However, recent changes in browser policies, user preferences, and legal regulations have initiated a paradigm shift, making it increasingly difficult to rely on these traditional methods of tracking.
This article will explore the evolving landscape of online tracking, highlighting the steps taken by browser vendors to limit third-party cookies, the impact of browser plugins that block tracking, and the legal implications of changing data privacy regulations.
A brief background on third-party cookies
As an online user, you've likely encountered third-party cookies without even realizing it. A third-party cookie is a small text file placed on your device by a website other than the one you're visiting. They enable advertisers and other third parties to track your activity across multiple sites, building a profile of your interests and habits.
Third-party cookies have formed the backbone of the digital advertising ecosystem, enabling marketers to deliver highly targeted and personalized ads to users.
Imagine browsing for a new pair of shoes on one website, then later visiting a news site. Thanks to third-party cookies, you might see an ad for the exact pair of shoes you were looking at earlier, even though you never searched for them on the news site. This cross-site tracking can feel intrusive and raise privacy concerns.
In the upcoming sections, I'll delve into how users, web browser creators, and governments are all putting the squeeze on third-party cookies. Additionally, I'll provide some advice for website owners on alternative strategies to consider in this changing landscape.
Overview of browser vendors' stance on third-party cookies
In response to growing concerns about user privacy and the invasive nature of third-party cookies, browser vendors have started to take significant measures to limit their use. Let's take a look at how some popular browsers are handling third-party cookies and protecting user privacy:
Safari
Apple's Safari browser has been at the forefront of the fight against third-party cookies with its Intelligent Tracking Prevention (ITP) feature. Introduced in 2017, ITP uses machine learning algorithms to identify and block third-party cookies that are used for tracking purposes, effectively limiting advertisers' ability to track users across multiple websites.
Firefox
Mozilla's Firefox browser has also made significant strides in protecting user privacy by introducing Enhanced Tracking Protection (ETP) in 2019. ETP blocks known third-party tracking cookies by default, preventing advertisers from collecting user data and tracking their browsing habits across different websites.
Microsoft Edge
Microsoft's Edge browser has adopted a similar approach, implementing its Tracking Prevention feature to block third-party tracking cookies. Users can customize the level of protection by choosing between Basic, Balanced, and Strict settings, allowing them to decide how aggressively they want to limit third-party cookies and other tracking technologies.
Google Chrome
As the most popular browser with a significant market share, Google Chrome's approach to third-party cookies carries considerable weight in the online ecosystem. Google has announced that they will finally eliminate third-party cookies at the end of 2024 and aims to replace it with a privacy sandbox. This sandbox aims to establish open standards for tracking users while preserving their privacy, such as by introducing new browser APIs like trust tokens. However, this initiative faces significant hurdles, as both the EU Commission and the UK's Competition and Markets Authority (CMA) have launched antitrust investigations into the matter.
Legal Implications and Changing Regulations
As user privacy concerns gain prominence, lawmakers around the world are enacting new regulations to protect consumers' personal data and restrict invasive tracking methods. These changing regulations, in addition to browser policies and plugins, are shaping the future of online advertising and data collection. Let's explore the current and upcoming legal landscape.
Current Data Privacy Laws and Relevant Court Rulings
-
General Data Protection Regulation (GDPR)
A comprehensive data protection law enacted by the European Union, GDPR has set strict rules for handling personal data and requires businesses to obtain user consent before using cookies or other tracking technologies.
-
Austrian GDPR Breach
An Austrian website using Facebook tracking tools faced penalties for unlawfully transferring user data to the US, violating Article 44 GDPR, and subsequent arguments regarding deactivation and journalistic exceptions were deemed irrelevant.
-
Spanish Location Data Ruling
Spanish courts annulled a decision by the Spanish DPA (AEPD) that had allowed Virgin telco to deny customers access to their location data; privacy group noyb successfully argued that location data is personal data and must be disclosed under the right to access.
-
Meta prohibited from using personal data for ads in Europe
The European Data Protection Board (EDPB) rejected Meta's bypass of the GDPR, requiring the company to obtain opt-in consent for personalized ads and provide users with a yes/no option; Meta now faces a €390 million fine.
-
The State of Privacy in the States
As you may have noticed, the above are all from the EU, which is the front-runner for online privacy regulations. In the U.S., there is no comprehensive federal data privacy law, leading individual states to create their own patchwork of laws and regulations.
The Federal Trade Commission (FTC) enforces privacy laws and protects consumers from deceptive trade practices. Five states have passed comprehensive privacy laws: California, Virginia, Colorado, Utah, and Connecticut, each with unique provisions and enforcement mechanisms. The California Privacy Rights Act (CPRA) is currently the most comprehensive state data privacy law. Many other states have active or inactive privacy legislation, reflecting a nationwide push for more robust data privacy protections.
The Future of Online Data Privacy
-
The EU-U.S. Data Privacy Framework
The future of the EU-U.S. Data Privacy Framework hinges on the European Commission's review and potential approval, with input from the European Data Protection Board. If approved, the framework could become the new standard for data transfers between the EU and the U.S., providing businesses with a more secure and legally compliant method.
-
E-Privacy Regulation
The e-Privacy Regulation (ePR), expected to be in force by 2023 at the earliest, will introduce stronger privacy rules for electronic communications, including consent requirements for processing metadata and simplifying cookie regulations. With a 24-month transition period, businesses will need to achieve compliance by 2025, adapting to extended rules covering services like WhatsApp, Facebook Messenger, and Skype.
Penalties and risks for non-compliant site owners
Non-compliant site owners face significant penalties and risks if they fail to adhere to data privacy regulations such as GDPR, CCPA, or other national and regional laws. The consequences of non-compliance can be severe, impacting both the financial and reputational aspects of a business.
Fines and penalties
Non-compliant site owners can face substantial fines that may amount to millions of euros or dollars. For instance, under GDPR, fines can reach up to €20 million or 4% of a company's global annual turnover, whichever is higher. In the case of CCPA, companies can be penalized with fines up to $7,500 per intentional violation.
Legal action
Non-compliance with data privacy laws can result in lawsuits, either raised by regulatory authorities or by individuals whose data privacy rights have been violated.
In addition, non-compliant site owners may suffer significant reputational damage if they are found to be violating data privacy regulations.
Adapting to a Cookieless Future: Alternatives and Strategies
As the digital landscape evolves and privacy regulations become more stringent, site owners must adapt to a cookieless future. By exploring alternatives and implementing new strategies, businesses can continue to engage with users, protect their privacy, and deliver personalized experiences. Here are some key approaches to help businesses adapt to a cookieless future:
First-party data
Focus on collecting and leveraging first-party data, which is information directly provided by users or gathered from their interactions with your site. This data can be used to create personalized experiences and targeted marketing campaigns while remaining compliant with privacy regulations. Encourage users to sign up for newsletters, create accounts, or participate in surveys to collect valuable first-party data. AseirX is a market leader on this segment and has a collection of open source tools that helps with collecting and utilizing first party data.
Contextual advertising
Contextual advertising targets users based on the content they are currently viewing, rather than their browsing history or personal information. By aligning your ads with relevant content, you can still reach your target audience without relying on cookies.
Consent management platforms (CMPs)
Implement a CMP to obtain user consent for data collection and processing, ensuring compliance with privacy regulations. A well-designed CMP can help build trust with users while providing them with control over their personal information.
Privacy-centric identity solutions
Explore privacy-centric identity solutions, such as AesirX WEB3 ID, which aim to replace third-party cookies with a more secure and privacy-focused alternative. The solution relies on storing user data in a zero knowledge blockchain to track users without compromising their privacy.
Conclusion
In conclusion, it is imperative that businesses prioritize the protection of their users' private data and cease any exploitative practices. The only sustainable solution is to adopt a zero-knowledge approach, empowering users to control their data and decide with whom they want to share it. Failure to embrace this change will result in a never-ending game of whack-a-mole, as businesses struggle to keep up with the constant evolution of data privacy rules and regulations. By committing to a user-centric approach, organizations can ensure long-term success and maintain trust in the digital age.
By Soren Beck Jensen
Communications Director, AesirX
